DIFC Enacts Amended Data Protection Regulations

Jacques Visser

Published: 07/09/2023

  • Regulation 10 is the first enacted regulations in the MEASA region on the processing of personal data via autonomous and semi-autonomous systems such as artificial intelligence (AI) or generative, machine learning technology.
"DIFC’s outcomes-based approach vis-a-vis application of the DP Law 2020 obligations to the development and use cases for systems provides a more collaborative, transparent way of creating and maintaining an innovative yet safe autonomous system.”
– Jacques Visser, DIFC Commissioner of Data Protection

Dubai, UAE; 7 September 2023: Dubai International Financial Centre (DIFC), the leading global financial centre in the Middle East, Africa and South Asia (MEASA) region, has enacted amendments to the Data Protection Regulations. The amendments enhance the current data protection framework, keeping the Centre at the forefront of data protection in the region.

Amendments to the Data Protection Regulations

The amendments to the Data Protection Regulations address the means for better, safer and more ethical management of personal data processing and operations. The updated regulations provide clarity on:

  • Personal Data Breach assessment and reporting obligations in Regulation 8, including situations where a temporary custodian finds personal data that has been inadvertently left behind or lost;
  • Use and collection of Personal Data for marketing and communications, particularly regarding appropriate notices when employing systems that may impair data individuals’ rights to restrict or remove their personal data, default cookies settings and conditions for consent, as set out in Regulation 9;
  • Investigations and enforcement powers of the Commissioner when a Controller or Processor may employ unfair or deceptive practices as defined in Regulation 6.2;
  • Personal data processed through digital, generative technology systems under Regulation 10.

In particular, Regulation 10 is ground-breaking as it is the first enacted regulations in the MEASA region on the processing of personal data via autonomous and semi-autonomous systems such as artificial intelligence (AI) or generative, machine learning technology. A key feature of Regulation 10 is that it creates space for DIFC to be a platform for interoperability of the many and varied guidelines and principles issued by sovereign governments and non-governmental organisations. Creating a plug and play space for application of ‘best fit’ principles to AI technology development is fundamental, responsible and ethical processing of personal data in such systems.

Commenting on Regulation 10, Jacques Visser, DIFC Commissioner of Data Protection said: “DIFC’s outcomes-based approach vis-a-vis application of the DP Law 2020 obligations to the development and use cases for systems provides a more collaborative, transparent way of creating and maintaining an innovative yet safe autonomous system.”

Use cases is expected to be tested through further consultation, inspection or supervision. The Commissioner’s Office is also considering testing use cases through participation in a regulatory sandbox comprised of technology developers, users, regulators and non- governmental or quasi-governmental organisations, all of whom have an interest in keeping systems safe and their uses practical for the digital age.

Guidance will be issued to accompany the updated Regulations in due course. Further details about the amended Data Protection Regulations can be found in DIFC Legal Database, which can be accessed here.